Most UK small- and medium-sized businesses (SMBs) misunderstand the impact of Brexit on compliance to the General Data Protection Regulation (GDPR), according to new research conducted by endpoint security company Webroot.

Webroot’s “Ready or Not: SMBs and the GDPR” survey of 501 UK SMBs indicated 81 percent of respondents said they have heard about the impending GDPR. However, of this 81 percent, only two-thirds were able to provide an accurate description of the GDPR’s purpose, Webroot stated.

Twenty-six percent of survey respondents said they believe the GDPR is simply an advisory measure that allows participating organizations to highlight their compliance online and in marketing materials, Webroot noted.

Moreover, 8 percent of SMBs stated they believe the GDPR is applicable only to very large or multinational companies, the survey showed.

Other Webroot survey results included:

73 percent of businesses that have to become compliant to GDPR did not think customer data will be any safer due to the legislation.

49 percent of businesses said they are not confident they can meet the GDPR mandates for compliance.

46 percent of businesses subject to compliance to GDPR were uncertain if they would have to remain compliant to GDPR after Brexit, and 6 percent were certain that they would not.

Overall, companies needing to comply with the GDPR made up 65 percent of the SMBs surveyed, according to Webroot.

Tips for UK SMBs

GDPR takes effect May 25, 2018, and UK SMBs that fail to comply with this data privacy regulation could face steep fines and penalties.

“The GDPR seeks to better protect customers of all types within the European Union, an issue that SMBs should find indisputably relevant,” Webroot wrote in its survey report. “At the same time, the finer details of the GDPR also are very complex, presenting small businesses and entrepreneurs with a variety of issues many never considered before.”

To assist SMBs, Webroot offered the following recommendations to help these businesses ensure GDPR compliance:

Act Now: GDPR may require organizations to invest time and resources to implement new processes. As such, organizations that act now may be better equipped than others to get ready for GDPR.

Know Your Data: Learn what corporate and personal data that an organization has, where it is stored and in what systems. Then, organizations can plan audits and dedicate resources to perform assorted data management processes.

Delete Data as Needed: Legal requirements are in place to maintain certain types of data. Conversely, an organization should remove all data that it does not need.

Maintain Open Lines of Communication: “Proper internal communications to all employees and external communications to suppliers will help make them aware of changes and give them time to amend their own processes in good time,” Webroot wrote in its report.

Consider a Privacy Impact Assessment. A privacy impact assessment may be needed to determine if invasive means of collecting personal data are used and if data is processed fairly and lawfully.

SMBs also can adopt a multi-layered security approach to meet GDPR, Webroot Business Sales Leader for EMEA Adam Nash said in a prepared statement.